itsouvalas/install.md

## install.md

      
    Raw
  

              install.md
            
          
    Introduction

In the following lines we will go through each step required to deploy cf-k8s-controllers using the documentation already in place and provide a list of commands as a runbook along with additions that may come up during the process.
Prerequisites


kubectl
kubernetes cluster of one of the upstream releases
container registry - in this example we are using dockerhub
cf cli version 8.1 or greater
Helm
git clone https://github.com/cloudfoundry/cf-k8s-controllers

Dependencies

cert-manager


cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.
Install

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml
example output

customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
namespace/cert-manager created
serviceaccount/cert-manager-cainjector created
serviceaccount/cert-manager created
serviceaccount/cert-manager-webhook created
clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrole.rbac.authorization.k8s.io/cert-manager-view created
clusterrole.rbac.authorization.k8s.io/cert-manager-edit created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created
clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created
role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
role.rbac.authorization.k8s.io/cert-manager:leaderelection created
role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created
service/cert-manager created
service/cert-manager-webhook created
deployment.apps/cert-manager-cainjector created
deployment.apps/cert-manager created
deployment.apps/cert-manager-webhook created
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created


applying this manifest will create 3 pods along with the default kube-system pods already running under the cert-manager manager namespace:
NAMESPACE      NAME                                      READY   STATUS    RESTARTS   AGE
cert-manager   cert-manager-848f547974-xzx82             1/1     Running   0          20s
cert-manager   cert-manager-cainjector-54f4cc6b5-w9mtz   1/1     Running   0          21s
cert-manager   cert-manager-webhook-58fb868868-jz8tv     1/1     Running   0          19s

Configure Docker Registry


All pods running on kuberenetes are containers instantiated by docker images. Given cf-k8s-controllers is running on top of a kubernetes cluster we need to define a docker registry to store our builds/images. Use the command bellow and edit accordingly:
kubectl create secret docker-registry image-registry-credentials \
    --docker-username="<DOCKER_USERNAME>" \
    --docker-password="<DOCKER_PASSWORD>" \
    --docker-server="<DOCKER_SERVER>" --namespace default
Below is an example of using dockerhub
kubectl create secret docker-registry image-registry-credentials \
    --docker-username="1oannis" \
    --docker-password="s0m3p@$$w0rd" \
    --docker-server="https://index.docker.io/v1/" --namespace default
example output

secret/image-registry-credentials created


A  quick look at the secrets will show us the recent addition:
kubectl get secrets
example output

NAME                         TYPE                                  DATA   AGE
default-token-jrpgw          kubernetes.io/service-account-token   3      8d
image-registry-credentials   kubernetes.io/dockerconfigjson        1      3m39s


kpack


kpack extends Kubernetes and utilizes unprivileged kubernetes primitives to provide builds of OCI images as a platform implementation of Cloud Native Buildpacks (CNB).
Install

kubectl apply -f https://github.com/pivotal/kpack/releases/download/v0.5.2/release-0.5.2.yaml
example output

namespace/kpack created
customresourcedefinition.apiextensions.k8s.io/builds.kpack.io created
customresourcedefinition.apiextensions.k8s.io/builders.kpack.io created
customresourcedefinition.apiextensions.k8s.io/clusterbuilders.kpack.io created
customresourcedefinition.apiextensions.k8s.io/clusterstacks.kpack.io created
customresourcedefinition.apiextensions.k8s.io/clusterstores.kpack.io created
configmap/build-init-image created
configmap/build-init-windows-image created
configmap/rebase-image created
configmap/lifecycle-image created
configmap/completion-image created
configmap/completion-windows-image created
deployment.apps/kpack-controller created
serviceaccount/controller created
clusterrole.rbac.authorization.k8s.io/kpack-controller-admin created
clusterrolebinding.rbac.authorization.k8s.io/kpack-controller-admin-binding created
clusterrole.rbac.authorization.k8s.io/kpack-controller-servicebindings-cluster-role created
clusterrolebinding.rbac.authorization.k8s.io/kpack-controller-servicebindings-binding created
role.rbac.authorization.k8s.io/kpack-controller-local-config created
rolebinding.rbac.authorization.k8s.io/kpack-controller-local-config-binding created
customresourcedefinition.apiextensions.k8s.io/images.kpack.io created
service/kpack-webhook created
customresourcedefinition.apiextensions.k8s.io/sourceresolvers.kpack.io created
mutatingwebhookconfiguration.admissionregistration.k8s.io/defaults.webhook.kpack.io created
validatingwebhookconfiguration.admissionregistration.k8s.io/validation.webhook.kpack.io created
secret/webhook-certs created
deployment.apps/kpack-webhook created
serviceaccount/webhook created
role.rbac.authorization.k8s.io/kpack-webhook-certs-admin created
rolebinding.rbac.authorization.k8s.io/kpack-webhook-certs-admin-binding created
clusterrole.rbac.authorization.k8s.io/kpack-webhook-mutatingwebhookconfiguration-admin created
clusterrolebinding.rbac.authorization.k8s.io/kpack-webhook-certs-mutatingwebhookconfiguration-admin-binding created


applying this manifest fires up 2 additional pods under kpack namespace:
NAMESPACE      NAME                                      READY   STATUS    RESTARTS   AGE
kpack          kpack-controller-5f85c5b74b-8hmjl         1/1     Running   0          42s
kpack          kpack-webhook-864886f7bc-56gd7            1/1     Running   0          27s

Configure a builder

Depending on the docker registry configured earlier, you would like to edit cf-k8s-controllers/dependencies/kpack/cluster_builder.yaml and include your registry. Here is our example for dockerhub:
apiVersion: kpack.io/v1alpha2
kind: ClusterBuilder
metadata:
  name: cf-kpack-cluster-builder
spec:
  serviceAccountRef:
    name: kpack-service-account
    namespace: cf
  # Replace with real docker registry
  #  tag: gcr.io/cf-relint-greengrass/cf-k8s-controllers/kpack/beta
  tag: index.docker.io/1oannis/cf-k8s-controllers/kpack
  stack:
  ...
🔆 Hint
Unless you have created the cf namespace already, you can apply these config files by first pointing to default namespace. You can quickly replace the references by cd-ing to the cf-k8s-controllers/dependencies/kpack/ and issue the following":
sed -i 's/namespace: cf/namespace: default/g' *

Else, you can create the cf namespace like so:
kubectl create namespace cf

Once everything has been configured, make sure that you are at the root directory of the cloned repository and issue:
kubectl apply -f dependencies/kpack/service_account.yaml \
    -f dependencies/kpack/cluster_stack.yaml \
    -f dependencies/kpack/cluster_store.yaml \
    -f dependencies/kpack/cluster_builder.yaml
Contour


Contour is an Ingress controller for Kubernetes that works by deploying the Envoy proxy as a reverse proxy and load balancer.
Install

kubectl apply -f https://projectcontour.io/quickstart/contour.yaml
example output

namespace/projectcontour created
serviceaccount/contour created
serviceaccount/envoy created
configmap/contour created
customresourcedefinition.apiextensions.k8s.io/contourconfigurations.projectcontour.io created
customresourcedefinition.apiextensions.k8s.io/contourdeployments.projectcontour.io created
customresourcedefinition.apiextensions.k8s.io/extensionservices.projectcontour.io created
customresourcedefinition.apiextensions.k8s.io/httpproxies.projectcontour.io created
customresourcedefinition.apiextensions.k8s.io/tlscertificatedelegations.projectcontour.io created
serviceaccount/contour-certgen created
rolebinding.rbac.authorization.k8s.io/contour created
role.rbac.authorization.k8s.io/contour-certgen created
job.batch/contour-certgen-v1.20.1 created
clusterrolebinding.rbac.authorization.k8s.io/contour created
clusterrole.rbac.authorization.k8s.io/contour created
service/contour created
service/envoy created
deployment.apps/contour created
daemonset.apps/envoy created


Here are the recently created pods:
NAMESPACE        NAME                                      READY   STATUS      RESTARTS   AGE
projectcontour   contour-8696cbb9-5ztz8                    0/1     Running     0          10s
projectcontour   contour-8696cbb9-zjz9k                    0/1     Running     0          10s
projectcontour   contour-certgen-v1.20.1-8nw4b             0/1     Completed   0          15s
projectcontour   envoy-bq6r4                               1/2     Running     0          8s
projectcontour   envoy-cfmmg                               1/2     Running     0          8s
projectcontour   envoy-kvmbf                               1/2     Running     0          8s
projectcontour   envoy-rbb9s                               1/2     Running     0          8s
projectcontour   envoy-xj7k9                               1/2     Running     0          8s

Configuring ingress


To enable external access to workloads running on the cluster, you must configure ingress. Generally, a load balancer service will route traffic to the cluster with an external IP and an ingress controller will route the traffic based on domain name or the Host header.


Provisioning a load balancer service is generally handled automatically by Contour, given the cluster infrastructure provider supports load balancer services. When a load balancer service is reconciled, it is assigned an external IP by the infrastructure provider.

In our case, EKS has created the load balancer and assigned an external url for it. We can grab it using the following:
kubectl get service envoy -n projectcontour -o wide

example output

NAME    TYPE           CLUSTER-IP       EXTERNAL-IP                                                               PORT(S)                      AGE     SELECTOR
envoy   LoadBalancer   10.100.100.236   a4f6620fe317b447fb69a7b3ee07cbd2-2121984464.us-east-1.elb.amazonaws.com   80:30048/TCP,443:31661/TCP   3h23m   app=envoy


we may then create a cname record to our dns provider and point it to the cf domain we are going to be using.
Domain Management


To be able to create workload routes via the CF API in the absence of the domain management endpoints, you must first create the appropriate CFDomain resource(s) for your cluster. Each desired domain name should be specified via the spec.name property of a distinct resource. The metadata.name for the resource can be set to any unique value (the API will use a GUID).

To configure it you will have to edit controllers/config/samples/cfdomain.yaml to add your CFDomain of choice. Here is the configuration for our example:
First we create a random UUID
uuidgen

example output

7810338d-92a9-47de-8f6c-d8aa09727bb0


and the we add that and the domain as below:
apiVersion: networking.cloudfoundry.org/v1alpha1
kind: CFDomain
metadata:
  name: 7810338d-92a9-47de-8f6c-d8aa09727bb0
  namespace: cf
spec:
  name: cfk8s.cloudruntime.eu
Default Domain


At the time of installation, platform operators can configure a default domain so that app developers can push an application without specifying domain information.
Operator can do so by setting the defaultDomainName at api/config/base/apiconfig/cf_k8s_api_config.yaml. The value should match spec.name on the CFDomian resource.

Here is our version:
externalFQDN: "api.cfk8s.cloudruntime.eu"
internalPort: 9000

rootNamespace: cf
defaultLifecycleConfig:
  type: buildpack
  stack: cflinuxfs3
  stagingMemoryMB: 1024
  stagingDiskMB: 1024
packageRegistryBase: index.docker.io/1oannis/cf-k8s-controllers/kpack
packageRegistrySecretName: image-registry-credentials # Create this secret in the rootNamespace
clusterBuilderName: cf-kpack-cluster-builder
defaultDomainName: apps.cfk8s.cloudruntime.eu
Eirini-Controller


Eirini Controller is a Kubernetes controller that aims to enable Cloud Foundry to deploy applications as Pods on a Kubernetes cluster. It brings the CF model to Kubernetes by definig well known Diego abstractions such as Long Running Processes (LRPs) and Tasks as custom Kubernetes resources.
Install

As per the installation instructions:

The eirini-controller system and workloads namespaces need to be created upfront

kubectl create ns eirini-controller
kubectl create ns cf-workloads
example output

namespace/eirini-controller created
namespace/cf-workloads created


Secrets containing certificates for the webhooks need to be created. We have a script that does that for local dev and testing purposes

curl https://raw.githubusercontent.com/cloudfoundry-incubator/eirini-controller/master/deployment/scripts/generate-secrets.sh | bash -s - "*.eirini-controller.svc"
example output

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   890  100   890    0     0   1762      0 --:--:-- --:--:-- --:--:--  1762
Will now generate tls.ca tls.crt and tls.key files
~/aws/cf-k8s-controllers/keys ~/aws/cf-k8s-controllers
Error from server (AlreadyExists): namespaces "eirini-controller" already exists
Generating a RSA private key
..............................................................................................................................................................................++++
.................++++
writing new private key to 'tls.key'
-----
Creating the eirini-webhooks-certs secret in your kubernetes cluster
secret/eirini-webhooks-certs created
Done!


In ordrer to install eirini-controller to your k8s cluster, run the command below, replacing x.y.z with a valid release version

VERSION=0.2.0; \
WEBHOOK_CA_BUNDLE="$(kubectl get secret -n eirini-controller eirini-webhooks-certs -o jsonpath="{.data['tls\.ca']}")"; \
helm install eirini-controller https://github.com/cloudfoundry-incubator/eirini-controller/releases/download/v$VERSION/eirini-controller-$VERSION.tgz \
  --namespace eirini-controller \
  --set "webhooks.ca_bundle=$WEBHOOK_CA_BUNDLE"
example output

NAME: eirini-controller
LAST DEPLOYED: Fri Apr  1 08:07:12 2022
NAMESPACE: eirini-controller
STATUS: deployed
REVISION: 1
TEST SUITE: None

Hierarchical Namespaces Controller


Hierarchical namespaces

Mmake it easier to share your cluster by making namespaces more powerful. For example, you can create additional namespaces under your team's namespace, even if you don't have cluster-level permission to create namespaces, and easily apply policies like RBAC and Network Policies across all namespaces in your team (e.g. a set of related microservices).

Install

kubectl apply -f "https://github.com/kubernetes-sigs/hierarchical-namespaces/releases/download/v1.0.0/default.yaml"
example output

namespace/hnc-system created
customresourcedefinition.apiextensions.k8s.io/hierarchyconfigurations.hnc.x-k8s.io created
customresourcedefinition.apiextensions.k8s.io/hncconfigurations.hnc.x-k8s.io created
customresourcedefinition.apiextensions.k8s.io/subnamespaceanchors.hnc.x-k8s.io created
role.rbac.authorization.k8s.io/hnc-leader-election-role created
clusterrole.rbac.authorization.k8s.io/hnc-admin-role created
clusterrole.rbac.authorization.k8s.io/hnc-manager-role created
clusterrole.rbac.authorization.k8s.io/hnc-proxy-role created
rolebinding.rbac.authorization.k8s.io/hnc-leader-election-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/hnc-manager-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/hnc-proxy-rolebinding created
secret/hnc-webhook-server-cert created
service/hnc-controller-manager-metrics-service created
service/hnc-webhook-service created
deployment.apps/hnc-controller-manager created
mutatingwebhookconfiguration.admissionregistration.k8s.io/hnc-mutating-webhook-configuration created
validatingwebhookconfiguration.admissionregistration.k8s.io/hnc-validating-webhook-configuration created


To install the kubectl plugin on your workstation, switch to any directory in your PATH e.g.
cd /usr/local/bin/

and run the following commands:
HNC_VERSION=v1.0.0
HNC_PLATFORM=linux_amd64 # also supported: darwin_amd64, darwin_arm64, windows_amd64
sudo curl -L https://github.com/kubernetes-sigs/hierarchical-namespaces/releases/download/${HNC_VERSION}/kubectl-hns_${HNC_PLATFORM} -o ./kubectl-hns
sudo chmod +x ./kubectl-hns
Ensure the plugin is working
kubectl hns

example output

Manipulates hierarchical namespaces provided by HNC
Usage:
  kubectl-hns [command]
Available Commands:
  completion  generate the autocompletion script for the specified shell
  config      Manipulates the HNC configuration
  create      Creates a subnamespace under the given parent.
  describe    Displays information about the hierarchy configuration
  help        Help about any command
  set         Sets hierarchical properties of the given namespace
  tree        Display one or more hierarchy trees
  version     Show version of HNC plugin
Flags:
      --as string                      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
      --as-uid string                  UID to impersonate for the operation.
      --cache-dir string               Default cache directory (default "/home/ubuntu/.kube/cache")
      --certificate-authority string   Path to a cert file for the certificate authority
      --client-certificate string      Path to a client certificate file for TLS
      --client-key string              Path to a client key file for TLS
      --cluster string                 The name of the kubeconfig cluster to use
      --context string                 The name of the kubeconfig context to use
  -h, --help                           help for kubectl-hns
      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
      --kubeconfig string              Path to the kubeconfig file to use for CLI requests.
  -n, --namespace string               If present, the namespace scope for this CLI request
      --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
  -s, --server string                  The address and port of the Kubernetes API server
      --tls-server-name string         Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
      --token string                   Bearer token for authentication to the API server
      --user string                    The name of the kubeconfig user to use
  -v, --version                        version for kubectl-hns
Use "kubectl-hns [command] --help" for more information about a command.

Now use the hnc plugin to propagate the kpack image registry secret to subnamespaces.
kubectl hns config set-resource secrets --mode Propagate
(no output)
Optional: Install Service Bindings Controller


Cloud Native Buildpacks and other app frameworks (such as Spring Cloud Bindings) are adopting the K8s ServiceBinding spec model of volume mounted secrets.
We currently are providing apps access to these via the VCAP_SERVICES environment variable (see this issue) for backwards compatibility reasons.
We would also want to support the newer developments in the ServiceBinding ecosystem as well.
Install

kubectl apply -f https://github.com/vmware-tanzu/servicebinding/releases/download/v0.7.1/service-bindings-0.7.1.yaml
example output

namespace/service-bindings created
clusterrole.rbac.authorization.k8s.io/service-binding-admin created
clusterrole.rbac.authorization.k8s.io/service-binding-core created
clusterrole.rbac.authorization.k8s.io/service-binding-crd created
clusterrole.rbac.authorization.k8s.io/service-binding-apps created
clusterrole.rbac.authorization.k8s.io/service-binding-knative-serving created
clusterrole.rbac.authorization.k8s.io/service-binding-app-viewer created
serviceaccount/controller created
clusterrolebinding.rbac.authorization.k8s.io/service-binding-controller-admin created
customresourcedefinition.apiextensions.k8s.io/provisionedservices.bindings.labs.vmware.com created
customresourcedefinition.apiextensions.k8s.io/servicebindings.servicebinding.io created
customresourcedefinition.apiextensions.k8s.io/servicebindingprojections.internal.bindings.labs.vmware.com created
mutatingwebhookconfiguration.admissionregistration.k8s.io/defaulting.webhook.bindings.labs.vmware.com created
validatingwebhookconfiguration.admissionregistration.k8s.io/validation.webhook.bindings.labs.vmware.com created
validatingwebhookconfiguration.admissionregistration.k8s.io/config.webhook.bindings.labs.vmware.com created
mutatingwebhookconfiguration.admissionregistration.k8s.io/servicebindingprojections.webhook.bindings.labs.vmware.com created
secret/webhook-certs created
service/webhook created
configmap/config-kapp created
configmap/config-logging created
configmap/config-observability created
deployment.apps/manager created


Installation

Having met the prerequisites above and configured individual files accordingly, we are ready to proceed with the installation steps:

Edit the configuration file for cf-k8s-controllers  controllers/config/base/controllersconfig/cf_k8s_controllers_config.yaml to


(required) set the kpackImageTag to be the registry location you want for storing the images.
(optional) set the clusterBuilderName, if you want to use a different cluster builder with kpack.

In our example the file looks like this:
kpackImageTag: index.docker.io/1oannis/cf-k8s-controllers/kpack
clusterBuilderName: cf-kpack-cluster-builder
cfProcessDefaults:
  memoryMB: 1024
  diskQuotaMB: 1024
cfRootNamespace: cf
cfk8s_controller_namespace: cf-k8s-controllers-system
workloads_tls_secret_name: cf-k8s-workloads-ingress-cert

Edit the configuration file for cf-k8s-api api/config/base/apiconfig/cf_k8s_api_config.yaml to


set the packageRegistryBase field to be the registry location to which you want your source package image uploaded.

We have laready opted in to update the file earlier and the result is the following:
externalFQDN: "api.cfk8s.cloudruntime.eu"
internalPort: 9000

rootNamespace: cf
defaultLifecycleConfig:
  type: buildpack
  stack: cflinuxfs3
  stagingMemoryMB: 1024
  stagingDiskMB: 1024
packageRegistryBase: index.docker.io/1oannis/cf-k8s-controllers/kpack
packageRegistrySecretName: image-registry-credentials # Create this secret in the rootNamespace
clusterBuilderName: cf-kpack-cluster-builder
defaultDomainName: apps.cfk8s.cloudruntime.eu

Edit the file api/config/base/api_url_patch.yaml to specify the desired URL for the deployed API.

Again, in our example we have the following contents:
- op: replace
  path: /spec/virtualhost/fqdn
  value: "api.cfk8s.cloudruntime.eu"
example output

go: creating new go.mod: module tmp
Downloading sigs.k8s.io/controller-tools/cmd/controller-gen@v0.8.0
go: downloading sigs.k8s.io/controller-tools v0.8.0
go: downloading github.com/spf13/cobra v1.2.1
go: downloading golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading github.com/fatih/color v1.12.0
go: downloading k8s.io/api v0.23.0
go: downloading k8s.io/apimachinery v0.23.0
go: downloading gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
go: downloading k8s.io/apiextensions-apiserver v0.23.0
go: downloading github.com/gobuffalo/flect v0.2.3
go: downloading github.com/mattn/go-colorable v0.1.8
go: downloading github.com/mattn/go-isatty v0.0.12
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b
go: downloading github.com/google/gofuzz v1.1.0
go: downloading k8s.io/klog/v2 v2.30.0
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.1.2
go: downloading sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6
go: downloading golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading github.com/google/go-cmp v0.5.6
go: downloading golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
go: downloading github.com/go-logr/logr v1.2.0
go: downloading golang.org/x/net v0.0.0-20210825183410-e898025ed96a
go: downloading golang.org/x/mod v0.4.2
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading golang.org/x/text v0.3.7
/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/controller-gen "crd" rbac:roleName=manager-role webhook paths="./controllers/..." output:crd:artifacts:config=controllers/config/crd/bases output:rbac:artifacts:config=controllers/config/rbac output:webhook:artifacts:config=controllers/config/webhook
go: creating new go.mod: module tmp
Downloading sigs.k8s.io/kustomize/kustomize/v4@v4.5.2
go: downloading sigs.k8s.io/kustomize/kustomize/v4 v4.5.2
go: downloading sigs.k8s.io/kustomize/api v0.11.2
go: downloading sigs.k8s.io/kustomize/cmd/config v0.10.4
go: downloading sigs.k8s.io/kustomize/kyaml v0.13.3
go: downloading sigs.k8s.io/yaml v1.2.0
go: downloading github.com/evanphx/json-patch v4.11.0+incompatible
go: downloading github.com/imdario/mergo v0.3.5
go: downloading github.com/go-errors/errors v1.0.1
go: downloading k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e
go: downloading github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00
go: downloading github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca
go: downloading github.com/stretchr/testify v1.7.0
go: downloading github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
go: downloading github.com/olekukonko/tablewriter v0.0.4
go: downloading go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading github.com/mattn/go-runewidth v0.0.7
go: downloading github.com/mitchellh/mapstructure v1.4.1
go: downloading github.com/go-openapi/swag v0.19.5
go: downloading github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
go: downloading github.com/go-openapi/jsonreference v0.19.3
go: downloading github.com/mailru/easyjson v0.7.0
go: downloading github.com/go-openapi/jsonpointer v0.19.3
go: downloading github.com/PuerkitoBio/purell v1.1.1
go: downloading golang.org/x/text v0.3.5
go: downloading golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4
go: downloading github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578
/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize build controllers/config/crd | kubectl apply -f -
customresourcedefinition.apiextensions.k8s.io/cfapps.workloads.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfbuilds.workloads.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfdomains.networking.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfpackages.workloads.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfprocesses.workloads.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfroutes.networking.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfservicebindings.services.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfserviceinstances.services.cloudfoundry.org created
cd controllers/config/manager && /home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize edit set image cloudfoundry/cf-k8s-controllers=cloudfoundry/cf-k8s-controllers:latest
/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize build controllers/config/default -o controllers/reference/cf-k8s-controllers.yaml
/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize build controllers/config/default | kubectl apply -f -
namespace/cf-k8s-controllers-system created
customresourcedefinition.apiextensions.k8s.io/cfapps.workloads.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfbuilds.workloads.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfdomains.networking.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfpackages.workloads.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfprocesses.workloads.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfroutes.networking.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfservicebindings.services.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfserviceinstances.services.cloudfoundry.org configured
serviceaccount/cf-k8s-controllers-controller-manager created
role.rbac.authorization.k8s.io/cf-k8s-controllers-leader-election-role created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-admin created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-cfservicebinding-reconciler-role created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-manager-role created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-metrics-reader created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-organization-manager created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-organization-user created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-proxy-role created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-root-namespace-user created
clusterrolebinding.rbac.authorization.k8s.io/cf-k8s-controllers-manager-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/cf-k8s-controllers-proxy-rolebinding created
configmap/cf-k8s-controllers-config created
configmap/cf-k8s-controllers-manager-config created
service/cf-k8s-controllers-controller-manager-metrics-service created
service/cf-k8s-controllers-webhook-service created
deployment.apps/cf-k8s-controllers-controller-manager created
certificate.cert-manager.io/cf-k8s-controllers-serving-cert created
issuer.cert-manager.io/cf-k8s-controllers-selfsigned-issuer created
tlscertificatedelegation.projectcontour.io/cf-k8s-controllers-workloads-fallback-delegation created
mutatingwebhookconfiguration.admissionregistration.k8s.io/cf-k8s-controllers-mutating-webhook-configuration created
validatingwebhookconfiguration.admissionregistration.k8s.io/cf-k8s-controllers-validating-webhook-configuration created
/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/controller-gen "crd" rbac:roleName=cf-admin-clusterrole paths=./api/... output:rbac:artifacts:config=api/config/base/rbac
cd api/config/base && /home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize edit set image cloudfoundry/cf-k8s-api=cloudfoundry/cf-k8s-api:latest
/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize build api/config/base -o api/reference/cf-k8s-api.yaml
/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize build api/config/base | kubectl apply -f -
namespace/cf-k8s-api-system created
serviceaccount/cf-k8s-api-cf-admin-serviceaccount created
clusterrole.rbac.authorization.k8s.io/cf-k8s-api-cf-admin-clusterrole created
clusterrolebinding.rbac.authorization.k8s.io/cf-k8s-api-cf-admin-clusterrolebinding created
configmap/cf-k8s-api-config-dht8hb62cg created
service/cf-k8s-api-svc created
deployment.apps/cf-k8s-api-deployment created
httpproxy.projectcontour.io/cf-k8s-api-proxy created

Deploy

make deploy
example output

/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/controller-gen "crd" rbac:roleName=manager-role webhook paths="./controllers/..." output:crd:artifacts:config=controllers/config/crd/bases output:rbac:artifacts:config=controllers/config/rbac output:webhook:artifacts:config=controllers/config/webhook
/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize build controllers/config/crd | kubectl apply -f -
customresourcedefinition.apiextensions.k8s.io/cfapps.workloads.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfbuilds.workloads.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfdomains.networking.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfpackages.workloads.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfprocesses.workloads.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfroutes.networking.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfservicebindings.services.cloudfoundry.org created
customresourcedefinition.apiextensions.k8s.io/cfserviceinstances.services.cloudfoundry.org created
cd controllers/config/manager && /home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize edit set image cloudfoundry/cf-k8s-controllers=cloudfoundry/cf-k8s-controllers:latest
/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize build controllers/config/default -o controllers/reference/cf-k8s-controllers.yaml
/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize build controllers/config/default | kubectl apply -f -
namespace/cf-k8s-controllers-system created
customresourcedefinition.apiextensions.k8s.io/cfapps.workloads.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfbuilds.workloads.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfdomains.networking.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfpackages.workloads.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfprocesses.workloads.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfroutes.networking.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfservicebindings.services.cloudfoundry.org configured
customresourcedefinition.apiextensions.k8s.io/cfserviceinstances.services.cloudfoundry.org configured
serviceaccount/cf-k8s-controllers-controller-manager created
role.rbac.authorization.k8s.io/cf-k8s-controllers-leader-election-role created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-admin created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-cfservicebinding-reconciler-role created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-manager-role created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-metrics-reader created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-organization-manager created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-organization-user created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-proxy-role created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-root-namespace-user created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-space-auditor created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-space-developer created
clusterrole.rbac.authorization.k8s.io/cf-k8s-controllers-space-manager created
rolebinding.rbac.authorization.k8s.io/cf-k8s-controllers-leader-election-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/cf-k8s-controllers-manager-rolebinding created
clusterrolebinding.rbac.authorization.k8s.io/cf-k8s-controllers-proxy-rolebinding created
configmap/cf-k8s-controllers-config created
configmap/cf-k8s-controllers-manager-config created
service/cf-k8s-controllers-controller-manager-metrics-service created
service/cf-k8s-controllers-webhook-service created
deployment.apps/cf-k8s-controllers-controller-manager created
certificate.cert-manager.io/cf-k8s-controllers-serving-cert created
issuer.cert-manager.io/cf-k8s-controllers-selfsigned-issuer created
tlscertificatedelegation.projectcontour.io/cf-k8s-controllers-workloads-fallback-delegation created
mutatingwebhookconfiguration.admissionregistration.k8s.io/cf-k8s-controllers-mutating-webhook-configuration created
validatingwebhookconfiguration.admissionregistration.k8s.io/cf-k8s-controllers-validating-webhook-configuration created
/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/controller-gen "crd" rbac:roleName=cf-admin-clusterrole paths=./api/... output:rbac:artifacts:config=api/config/base/rbac
cd api/config/base && /home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize edit set image cloudfoundry/cf-k8s-api=cloudfoundry/cf-k8s-api:latest
/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize build api/config/base -o api/reference/cf-k8s-api.yaml
/home/ubuntu/aws/cf-k8s-controllers/controllers/bin/kustomize build api/config/base | kubectl apply -f -
namespace/cf-k8s-api-system created
serviceaccount/cf-k8s-api-cf-admin-serviceaccount created
clusterrole.rbac.authorization.k8s.io/cf-k8s-api-cf-admin-clusterrole created
clusterrolebinding.rbac.authorization.k8s.io/cf-k8s-api-cf-admin-clusterrolebinding created
configmap/cf-k8s-api-config-dht8hb62cg created
service/cf-k8s-api-svc created
deployment.apps/cf-k8s-api-deployment created
httpproxy.projectcontour.io/cf-k8s-api-proxy created


The following two pods are added to our cluster:
NAMESPACE                   NAME                                                     READY   STATUS      RESTARTS   AGE
cf-k8s-api-system           cf-k8s-api-deployment-5dfd484d57-jlvfx                   1/1     Running     0          55s
cf-k8s-controllers-system   cf-k8s-controllers-controller-manager-56b9b84884-fz86z   2/2     Running     0          77s
Post Deployment

Configure Image Registry Credentials Secret

kubectl create secret docker-registry image-registry-secret \
    --docker-username="1oannis" \
    --docker-password="s0m3p@$$w0rd" \
    --docker-server="https://index.docker.io/v1/" --namespace cf-k8s-api-system
example output

secret/image-registry-secret created


example output